Trust

Security

Effective and last updated: May 13, 2026

1. Local-first architecture

Strategies, methodology configurations, and broker credentials live only on the customer's machine. There is no cloud database of customer trading data, and ShapeUp servers do not have access to it.

2. Payment security

Payments are processed by Paddle.com (Merchant of Record) and Stripe Payments, Inc. Both providers are PCI DSS certified. Rubicon never sees, stores, or transmits raw card data. All payment flows occur over HTTPS / TLS.

3. Application security

  • Sandboxed code execution for imported strategies
  • Database integrity verification at startup
  • Encrypted credential storage at rest, using OS-level secret stores where available
  • Append-only audit log for trading actions
  • Dependencies regularly scanned for known CVEs

4. Third-party security

Rubicon AI is built on Hermes Agent, an MIT-licensed open-source agent runtime by Nous Research. AI conversations are routed directly from the customer's machine to the AI provider the customer selected; ShapeUp does not see the contents.

5. Vulnerability disclosure

We welcome responsible disclosure of security issues. Please email security@rubicontrading.io with details. We aim to acknowledge reports within 2 business days. A /.well-known/security.txt file is published at the website root.

6. Roadmap

  • SOC 2 Type 1 attestation planned for late 2026
  • Independent penetration testing planned for 2026